Skip to content

Instantly share code, notes, and snippets.

@usrbinkat

usrbinkat/README.md

Last active March 6, 2024 18:17
Show Gist options
  • Save usrbinkat/40c9c3009915581f451804b620e678da to your computer and use it in GitHub Desktop.
Save usrbinkat/40c9c3009915581f451804b620e678da to your computer and use it in GitHub Desktop.
Download ZIP
Home K8s Native FW / Router
Raw
README.md

Kubernetes Single Node Edge Firewall, Gateway, and Ubiquiti AP Controller

This is a rought draft document describing the build of VyOS on microk8s for use as a home WAN firewall/router. I also use an Ubiquiti UAP Pro Access Point to broadcast my home wifi networks.

Here is a visual of the silent fanless intel i7 kubernetes node, access point, and power-over-ethernet adapter. kill-a-watt

This is a slightly over estimated annual power cost estimate for powering the whole setup. Est Annual Cost

Load average:
image

Pod List:
image

Hardware

These are the hardware choices I made allowing for uses other than just dedicated firewall/router duties in my home. While I opted for more expensive selections it is perfectly reasonable to choose other access points and cheaper qotom, protectli, dell optiplex, or other hardware to serve the same purpose. The key feature you will need in your kubernetes node is to ensure enough RAM and that the number network interfaces (nic) on the hardware you select or build is enough to support your physical network layout. The cheapest option without sacrificing capability would likely be to select a second hand dell optiplex or other similar discarded enterprise equipment. An i5 or better is recommended. For access points, I have only been using Ubiquiti devices for years but have also heard good things about aruba devices for home use.

DISCLAIMER: I have no incentive financial or otherwise for sharing my hardware selection.

Operating System & Host Configuration:

For the OS, I installed Fedora Server 36 Server. I also enabled the "Headless Management" packages during install. For Networking, I configured one network interface on a bridge named wan0 with no IP address. The rest of my devices interfaces are attached to a br0 bridge for all internal networking.

Kubernetes + Kubevirt

This is a draft manual proceedure demonstrating the microk8s + kubevirt path I took.

Vyos on Kubevirt

Here are early testing artifacts for my deployment of VyOS on Kubevirt. I have since improved my methods and will continue to enhance them to accomodate a few other improvements before publishing a formal writeup.

Considerations

I configured this microk8s node with the microk8s registry plugin and set it to pull the vyos container image from it's internal registry. This prevents chicken and egg issues where the unit may not have internet access until after the vyos virtual machine boots, but internet access is provided through vyos instance.

I am using ephemeral virtual machines running directly from the container disk without any persistent data. To update my vyos router configuration, I update the user-data secret with my new configuration commands, then delete the vyos router. Within about 25-35 seconds this microk8s box spawns a new vyos vm and it is configured and operational per my user-data commands without any further interaction required.

I have run github actions in a container on this microk8s box to automate this user-data secret update and vyos vm rotation. This has not been a very aesthetic method however given the github actions runner looses connection for an unreasonable amount of time. The vm replacement network outage could be averted by creating a pair of highly available VyOS vm's for redundancy and setting the pod rotation budget to 50%.

Alternatively local gitea and tekton have also proven effective in accomodating the short duration network outage during pod rotation.

Opportunities

This is a rudimentary edge firewall/gateway/wifi solution. I will be adding more services such as:

  • pull through image registry mirrors
  • squid3 ssl bump proxy for DPI & cache acceleration
  • Local OpenDNS server & DNS based Add Blocking service (similar to piHole)
  • Kong Ingress Controller
  • Wireguard VPN Service
  • Cert Manager
  • and more
@ossfellow
Copy link

Very cool indeed.
Currently I’m using OPNsense on a Qotom server, plus a Ubiquiti UAP for wireless networking; but I bought a new RM2 server for VyOS to mix in Kubernetes for hosting some of the services I run on multiple Raspberry Pis, and also take advantage of VyOS APIs, for remote, in-cluster, administration.
I have been wondering if it’s easier (long term maintenance wise) to run Kubernetes (I’m an avid fan of Talos) on VyOS, or run VyOS on Kubernetes, and your setup presents a very compelling case for the latter.
Thank you for this write up; I’ll follow your progress for more insights and inspiration.

@usrbinkat
Copy link
Author

Very cool indeed. Currently I’m using OPNsense on a Qotom server, plus a Ubiquiti UAP for wireless networking; but I bought a new RM2 server for VyOS to mix in Kubernetes for hosting some of the services I run on multiple Raspberry Pis, and also take advantage of VyOS APIs, for remote, in-cluster, administration. I have been wondering if it’s easier (long term maintenance wise) to run Kubernetes (I’m an avid fan of Talos) on VyOS, or run VyOS on Kubernetes, and your setup presents a very compelling case for the latter. Thank you for this write up; I’ll follow your progress for more insights and inspiration.

@masoudbahar hey thanks for giving it a read. I'm a big fan of @siderolabs Talos as well and will be replacing the fedora + microk8s stack here for talos once the bridge configuration bug is resolved. That will make it metal > talos > kubevirt > vyos so that all layers are 100% api driven. It's pretty exciting to be sure.

@ossfellow
Copy link

@usrbinkat, so it was you who reminded us all that in the reimplentation of the Talos network controller, the bridge configuration was accidentally dropped 😅
Nonetheless, as soon as I saw your configuration, I started wondering if it would be even possible to have Talos in a disconnected mode (i.e. setting up wan0 and br0, but not connecting to Internet, unprotected)!
I have to wait for the bridge configuration to run some network monitoring tests and find out.

@usrbinkat
Copy link
Author

@masoudbahar yes, I was testing Talos for this use case at the time. I'll build a bunch of media around it once the bridge feature is reintroduced and I can create this stack on Talos.

@lorenzo95
Copy link

lorenzo95 commented Dec 11, 2022
edited

HI there. Very interesting gist. I was curious about doing something similar. Have you looked at Talos since? Looks like the bug was closed.

@usrbinkat
Copy link
Author

usrbinkat commented Dec 11, 2022
edited

@lorenzo95 Talos is a fantastic base and totally worth using. I run a pi cluster, and an optiplex cluster on Talos, as well as half a dozen or so tenant talos k8s clusters. When I wrote this guide, we were waiting on a fix to enable bridge network configuration in the machine config and now that bridges are supported again this would totally work on Talos instead and I would HIGHLY recommend it.

You can find me at usrbinkat on talos slack too

@yasir2000
Copy link

Hi there, are there any networking issues/config when deploying Mini PC router nodes in K8s cluster, especially for multiple nic cards and wifi interfaces. My scenario is wifi mesh using these nodes.

@usrbinkat
Copy link
Author

@yasir2000 kubernetes plays very well with lots of nics and other hardware. You should be able to accomplish what you are wanting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment